I have just implemented wso2is 5.3 and I am looking at setting up the password and username recovery options.
Wso2is is set up with our Active Directory domain as the primary user store. In AD, the 'mail' attribute holds the user's primary email address, and 'otherMailbox' contains additional, external email addresses for the user.
I would like to use the email recovery, but we can't use the primary email, since the password for that account is the password they are trying to reset. We need to have the recovery process use one of the addresses in 'otherMail'.
I can't find anywhere in the documentation where you can define any option for what email is used for the recovery process.
Is the primary email the only one supported for password recovery? How can I tell the password and username recovery process to use a different email?
Thanks
Don
The answer, it turns out, is to change the claim mapping for the email address claim in WSO2 to point to the otherMailbox attribute in AD. It properly deals with the multi-valued email address list and for the purposes of password recovery, it sends the notification to all of the listed email addresses.
We then created another claim called Campus Email and pointed it at the mail attribute in AD.
There doesn't seem to be any negative issue with having 'our' email not be the 'primary' email.
Don
Related
When I logged into Github.com, it says:
Your password is weak and can be easily guessed. You must update your password to continue using GitHub.com.
And the page leads to resetting the password. When my email address is input, it says:
That address is not a verified primary email or is not associated with a personal user account. Organization billing emails are only for notifications
I have the username and correct password, but not the email. I'm wondering how to get the verified primary email, or can I reset the password in other ways?
You can now generate tokens for unlimited time using your old password which you can store in your local machine to access your repositories from the command line.
I am implementing an email verification service, with the purpose of confirming that the person registering is indeed the owner of that email address (specifically, that they work at the organisation that the email domain belongs to).
I will send an email post-registration with a single-use link in it that will set their status to verified = 1.
Users can choose to register and log-in using either a simple email/password combination, or by using the Google Sign In service.
My question is: do I need to verify the ones that have registered with Google Sign In? In order to provide their email address to me, they had to sign in with Google, who then confirmed the address. Is there anything I've missed here, or can I immediately consider these users to be the verified owners of these addresses?
If you are using google sign in there is no need to verify the user.
Whereas if have your own login system, then you must verify the email because
if the email is not verified then you cannot have forgotten password feature through email
and also the user might not have actually had the email so anyone else could create the same email and if you have forgotten password through email someone else could easily access others data.
I have MS Exchange account as my primary mail account in my default mail profile. I need to get its mail address programmatically in some VBScript.
I've got Outlook installed, so I can do it like this:
MsgBox CreateObject("Outlook.Application").GetNamespace("MAPI").CurrentUser.PropertyAccessor.GetProperty("http://schemas.microsoft.com/mapi/proptag/0x39FE001E")
But only when Outlook is running, also I've got security prompts in Outlook, so I can't use this approach.
I've found that a bunch of information about profiles and accounts is stored in registry under HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\
I've found Email value for POP3 and IMAP accounts in subkeys of 9375CFF0413111d3B88A00104B2A6676 in default profile, but none of that for Exchange account.
Where can find a value for Exchange account mail address of current user in registry?
enter link description hereThe name of your default profile is stored in
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\DefaultProfile
Use Redemption (RDO) in stead of the standard Microsoft tools
(CDO), you'l have better tools and no security prompts.
RDOSession.Logon method, which takes several parameters, including the
MAPI profile name (pass an empty string to use the default MAPI
profile)
set Session = CreateObject("Redemption.RDOSession")
Session.Logon
set Inbox = Session.GetDefaultFolder(olFolderInbox)
for each Msg in Inbox.Items
Debug.Print(Msg.Subject)
next
Another option is to use ADSI and do an LDAP query.
See this answer.
Also see this.
Set MyUser = GetObject ("LDAP://CN=Administrator,CN=Users,DC=sunnydale,DC=muni")
For each email in MyUser.proxyAddresses
WScript.Echo email
Next
I didn't like the idea of using Redemption for that case. Its not free and requires additional movements to use. Anyway, I found an answer to my original question.
To get user primary SMTP address of the Outlook Exchage account on the end-user computer you need to search registry down the key of default mail profile (HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\<default profile name> or HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\<default profile name> for older versions of Outlook) for the value named 001f6641. This value data has binary format and contains mail address in the form like this SMPT:john#example.com, just cut the SMTP: part out an you get mail address.
The bad part that you can't make it with Outlook 2003. For that case you can search registry the same way for the value named 001e660b that contains legacyExchangeDN. Then you make an LDAP query (probably to Exchange AD by default) to find person with that legacyExchangeDN. What you need is proxyAddresses field. It has multiple values and that one that starts with SMTP: (uppercase is important), contains primary SMTP address.
At http://docs.developer.intuit.com/0025_Intuit_Anywhere/0010_Getting_Started/0030_Integrate_your_app/0030_Signing_Into_and_out_of_Intuit_From_Within_Your_App/Sign-in/Implement_SSO_and_OpenID_in_Your_App
it says the following:
"Intuit does not verify the user email address associated with the user's OpenID account. Therefore, do not use the email address for authentication and do not link user accounts based on email address."
What does it mean "do not use the email address for authentication"? I mean, isn't the user already authenticated, through OpenId.
Also it says that the user email address is not verified. But what if my app needs to send an email to a user that has logged through OpenId. How can I be sure the user will actually get the email? What is the recommended pattern to handle that?
Thanks
EDIT: also, can I use the email to uniquely identify a user, and if not, what should I use to uniquely identify a user from the open id response?
EDIT 2: also, is the developer charged when a user logs in with open id and the 36 day trial expires? Or is it just when using the "Connect to quickbooks" that the developer is charged, in which case, open id authentication itself is free?
Clement,
It means when a customer goes to the Intuit Appcenter and creates an account the email is not verified immediately, so you cannot single sign on a user based only on their email address if they already have an account in your system. You need to prompt them to login one time to map the two accounts.
If they are completely new then you can auto provision an account on your side and single sign them in, if you require the customer to verify their email address then you can send them a verification email.
thanks
Jarred
My application uses the "https://graph.facebook.com/me" request with an OAuth token to obtain properties about the user. Email address is one of the properties we need, and we do explicity request that permission when we request access.
It's working fine 99% of the time, but on a few occasions the response comes back without any object in the jSON data named "email".
Is there an explanation as to why this might happen, such as a way a user could grant us permission but still block their email address? Or could it be found under another key?
Thanks.
Short answer: Not all users have an email address available and those who do may not have a valid, reachable email address
The documentation for the email field of the user object ( https://developers.facebook.com/docs/reference/api/user/ ) clarifies the expected behaviour here, which is:
"this field will not be returned if no valid email address is available"
There are a number of circumstances in which you may think a user should have an email address returned but they will not. Some common reasons:
No Email address on account
No confirmed, verified email address on account
User entered a security checkpoint which required them to reconfirm their email address and they have not yet done so
Users's email address is unreachable
You also need the email extended permission (which users can choose not to allow), even for users who have a valid, confirmed, reachable email address on file.
The mobile signup form at http://touch.facebook.com/r.php allows you to signup with an email address or phone number. So I don't think all Facebook users have an email address stored with them.
The user can revoke the email address permission on the app privacy settings page without revoking the full application. You could first call /me/permissions to make sure the email permission is still granted.
If you are using facebook SDK 2.4 or higher you need to add "fields" in the strategy
Below is an example for oAuth library.
FacebookStrategy.php line 131
BEFORE:
$me = $this->serverGet('https://graph.facebook.com/me', array('access_token' => $access_token), null, $headers);
AFTER:
$me = $this->serverGet('https://graph.facebook.com/me', array('access_token' => $access_token,'fields'=>'email,name,first_name,last_name,age_range,gender'), null, $headers);
Regardless of the field list, if you want to get more information that is not by default provided by Facebook, the permissions need to be in the "scope" array.
Default data provided by SDK includes: email, public profile, user_friends
Had the same problem and discovered that in the rare cases where this happens the user did not have a primary E-Mail-Address defined (although 2 Addresses were registered). We're not able to reproduce such a costellation, since normally it is not possible not to have a primary e-mail address.
Can anyone confirm something similar?
Missing email field happens where user doesn't confirm his primary address via clicking link from activation message.